AnsweredAssumed Answered

chain issues vs handshake simulation

Question asked by Wiktor Niesiobędzki on Jan 26, 2017

Hi,

 

I noticed. that SSL Server Tests incorrectly reports Java Client Handshake as successful, where in reality - they fail because Java doesn't fetch intermediate certificates if they are not presented by server and thus - fails the server check.

 

Example of such server:

SSL Server Test: emuia1.gugik.gov.pl (Powered by Qualys SSL Labs) 

 

Both Java 7 and Java 8 will fail, as the server doesn't present enough data, to match the certificate with cacert bundled with Java.

 

If the server has complete chain, like for example here:

SSL Server Test: www.pzu.pl (Powered by Qualys SSL Labs) 

 

It connects without issues.

 

It would be great, if SSL Labs Tests would report, which clients may have problems connecting to the server due to this misconfiguration.

Outcomes